The Outsourcing of Your DPO in Full: A Scandal in the Making

On June 27 by Mark Orchison

The GDPR makes it a requirement for all public authorities (state funded schools) to have a designated Data Protection Officer (DPO). All other types of school must document and undertake an internal analysis to determine whether a DPO needs appointing. This analysis is part of the principle of accountability. In a previous webinar, we discussed everything you need to know about appointing a DPO / DPL. Here’s the live recording in case you missed it.

Where a school determines that a DPO is not needed, a Data Protection Lead (DPL) is still required and many of the responsibilities remain the same. For more information on how we can support your organisation, see our DPO Essentials Service here.

Need help with the GDPR? Our most recent school-focused webinar outlines the risks associated with outsourcing the DPO role.The live recording is below in case you missed it.

OUTSOURCING THE DPO

The GDPR allows for organisations to outsource the responsibilities of the DPO on a service contract. In digesting the guidance on outsourcing, the purpose of being allowed to do so is more in common with larger organisations, who may appoint a contractor or consultant that will be based within the organisation. If your school plans on outsourcing the responsibility for the role of the DPO, you must be aware of the implications, likely areas of additional cost, and potential contractual quagmire you will be entering. This article provides an overview of the DPO's responsibilities, the impact of outsourcing full responsibility, and the impact on your school.

Knowledge and accessibility in school

The GDPR is explicitly clear on the role, activities, and responsibilities of the DPO. In considering outsourcing, your leadership must answer how the DPO service will do the following:

Foster a data protection culture

Be fully involved and in a timely manner in all issues related to data protection

Be a sounding board for discussion and part of your working groups associated with managing data

Participate regularly in meetings with both senior and middle management

Have a presence in meetings where decisions are made with data protection implications

Make their dissenting opinion to the highest management level

Have due regard to the risks associated with processing data in your school, taking into account the nature, scope, context, and purpose of processing

Without having a physical presence in your school, it is almost impossible to evidence (given the principle of accountability) how a remote service DPO contract can fulfil the obligations associated with knowledge and accessibility.

Necessary Resources

Your school must provide the necessary resources to evidence compliance with the regulation. Organisations cannot legitimise a breach of the GDPR for lack of resources. The DPO must be provided with the necessary resources, must not receive instructions regarding the exercising of their duties, and have adequate financial, infrastructure and staff where required. Your school also needs to have the following in place:

The opinion of the DPO must always be given due weight. In case of disagreement, the reasons for not following the DPO’s advice must be followed

Necessary access to HR, legal, IT, and security services

Where there is a breach, facilitate liaison with the supervisory authority and execute on putting into place the resources needed to manage the breach

By outsourcing the DPO role, you are giving authorisation and autonomy in the spending of your financial resources to the outsourced provider. Without good reason, you will have little room to challenge their decisions in spending your financial resources. You are placing yourself at risk to the provider using their own in house legal, IT, HR and security expertise, leading to potentially unknown and uncontrolled spend. Don’t be blurred by headline-grabbing costs of a DPO service, as it is the additional charges where outsourced providers will seek to make their profits.

Position of a DPO appointed under a service contract

Under law, the contract you sign with an outsourced DPO service cannot be unfairly terminated. Additionally, the people who work for the outsourced provider cannot have their contracts unfairly terminated. This means you are inadvertently signing up to a contract provided by resources you have no control over—with little or no influence on quality—for an indefinite period and with reduced contractual abilities to terminate. Under the EFSA Financial Handbook (England state school funding guidelines), it would be deemed inappropriate to agree or sign-up to such contracts without paying due diligence. In most other schools or organisations, this type of contract would likely require governor or trustee approval.

the article 29 wp guidelines on the dpo state:

“The selective and pragmatic approach should help DPOs advise the controller [your school / organisation] what methodology to use when carrying out a DPIA, which areas should be subject to an internal or external data protection audit, which internal training activities to provide to staff or management responsible for data processing activities, and which processing activities to devote more of his or her time and resources to.”

In demonstrating the principle of accountability, we at 9ine find it difficult to understand how any service contract can undertake the requirements of the above statement without being on-site.

The GDPR is an opportunity for organisations to map data and information flows, assess the risks of that processing activity to individuals, create efficiencies, improve the way you work, and secure the personal data of your staff, students and parents. In outsourcing the DPO role, you are likely giving up that opportunity. You are also forever reliant on external service companies to provide a role that is akin (in legal terms) to that of your Designated Safeguarding Lead / Child Protection Officer. Would you ever outsource that?

There should not be a knee-jerk reaction to outsourcing. Do not worry if you don’t have the internal expertise in ‘national data protection law’, the GDPR, or within cyber security that the guidance mandates. Every organisation in the EU is in exactly the same position and the people with those skills do not exist at this moment in time. Building competence in your school / organisation in each of those areas is part of the compliance programme. Where you do not have the expertise, document that as a risk and include a mitigating action that provides you with interim support in those areas. Your mitigating action will also be that you have an internal training programme to develop expertise in those areas.

Top Tips:

Appoint a governor / trustee with responsibility for interpreting the Article 29 Working Party guidance on the regulation

Identify a team of three people (expertise in management, HR, and IT ) to carry out the duties of the DPO. One of the three being the nominated DPO or DPL.

It is likely there will be a conflict of interest with one or more of the three you have identified. Don’t let this be a deterrent. Working together will allow more objective and independent decisions, minimising potential conflicts of interest. Where decisions cannot be agreed on, seek guidance from the governor / trustee, or from experts such as 9ine. Log this approach, the potential conflict of interest, and how you have sought to mitigate it within your risk log.

Allow the DPO team to come up with their own ideas and suggestions to deliver GDPR compliance given the limited budget you have

In all instances with the GDPR, apply common sense!

We recently hosted a free, school-focused webinar outlining the perils of outsourcing the DPO to a third party. The webinar details the areas of accountability schools need to comply with including risk management, information rights, breach management, cyber / IT security, data security, and staff training.Click below to watch the live webinar recording.